Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

mipsel.elf

ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header

initial sample

Details

Filetype:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header
Entropy:	7.979902191837311
Filename:	mipsel.elf
Filesize:	83116
MD5:	e302ea61784de173b05de4921ab3be13
SHA1:	1835257526d53a0b0e1250bbccec9d2a9ae386c3
SHA256:	c5589c3b963ea8a43a172fac7180d1065e9f77ef5395b3fbe622a26a37e2ba10
SHA512:	b2cce4a95d05c28e2f8cd311335b9c5d660c3751b7b31af1441aff2a61357f83855f11b268345bdd997bf3551349d1c250842352f34f4bc13773018d00b1d6ac
SSDEEP:	1536:DG26f58t9ur1Z2Us4N6nwV7wK+XfEgCKsL3eEPQ61O6bgQ6SPEO:DJ6xV1Z5RVRgns/F1OygQ1EO
Preview:	.ELF....................p...4...........4. ...(...............................................J...J................. ..nUPX!d..................._..........?.E.h;....#....A..R....\.Bp.......\|.4...r....:*b....Cx.N...4...%e.}_.%6no!Z.i.........!..o.v........

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Opens /proc/net/* files useful for finding connected devices and routers	Spreading	Remote System Discovery
ELF contains segments with high entropy indicating compressed/encrypted content	Hooking and other Techniques for Hiding and Protection
Uses the "uname" system call to query kernel version information (possible evasion)	Malware Analysis System Evasion	Security Software Discovery
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
URLs found in memory or binary data	Networking
Writes log files to disk	Persistence and Installation Behavior

/tmp/Infected.log

ASCII text, with CRLF line terminators

dropped

Details

File:	/tmp/Infected.log
Category:	dropped
Dump:	Infected.log.12.dr
ID:	dr_0
Target ID:	12
Process:	/tmp/mipsel.elf
Type:	ASCII text, with CRLF line terminators
Entropy:	4.71112089176799
Encrypted:	false
Ssdeep:	3:xRbQRAZvOWFsZWFBAK8dAuFUJ4gnicMMIVDt8Tovn:xR0qvOfZW8K8djmHicNoDt8kv
Size:	107
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Writes log files to disk	Persistence and Installation Behavior

Processes

Path

Cmdline

Malicious

/tmp/mipsel.elf

URLs

Name

Malicious

https://developers.google.com/search/docs/advanced/crawling/overview-google-crawlers)

unknown

http://upx.sf.net

unknown

Details

Name:	http://upx.sf.net
TargetID:	12
From Memory:	true
Current Path:	/tmp/mipsel.elf
Source:	mipsel.elf
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Sample is packed with UPX	Data Obfuscation	Obfuscated Files or Information
URLs found in memory or binary data	Networking

http://www.spidersoft.com)

unknown

http://help.yahoo.com/help/us/ysearch/slurp)

unknown

http://www.google.com/bot.html)

unknown

http://www.google.com/mobile/adsbot.html)

unknown

Domains

Name

Malicious

daisy.ubuntu.com

162.213.35.24

Details

Name:	daisy.ubuntu.com
IP:	162.213.35.24
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

181.214.231.152

unknown

Chile

Details

IP:	181.214.231.152
TargetID:	-1
Country:	Chile
Countrycode:	CHL
ASN number:	61317
ASN name:	ASDETUKhttpwwwheficedcomGB
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Suricata IDS alerts with low severity for network traffic	Networking
Connects to IPs without corresponding DNS lookups	Networking

Memdumps

Base Address

Regiontype

Protect

Malicious

7f51f8459000

page execute read

7f51f8459000

page execute read

7f51f84a3000

page read and write

558845bc2000

page read and write

7f527f7c5000

page read and write

7f528049f000

page read and write

7f527fe47000

page read and write

7f528049f000

page read and write

7f5278000000

page read and write

7f5280195000

page read and write

55884391b000

page execute read

7f5280376000

page read and write

558843ba3000

page read and write

7f51f8180000

page execute and read and write

7f51f84a3000

page read and write

7f51f8180000

page execute and read and write

55884391b000

page execute read

7f52804a7000

page read and write

7f5278021000

page read and write

558845bc2000

page read and write

7f527efbd000

page read and write

7f527fa83000

page read and write

7f5280376000

page read and write

558845bab000

page execute and read and write

7f527efbd000

page read and write

7f527fe64000

page read and write

558846784000

page read and write

558846784000

page read and write

7f5278021000

page read and write

7f527f7c5000

page read and write

558843bad000

page read and write

7f5278000000

page read and write

7ffca187e000

page read and write

558843ba3000

page read and write

7ffca187e000

page read and write

7f527fa83000

page read and write

7f527fe47000

page read and write

7f527fe24000

page read and write

7ffca19f5000

page execute read

7f52804ec000

page read and write

7f527fe64000

page read and write

7ffca19f5000

page execute read

7f527f7d3000

page read and write

558845bab000

page execute and read and write

7f527fe24000

page read and write

7f527f7d3000

page read and write

7f52804ec000

page read and write

558843bad000

page read and write

7f5280195000

page read and write

7f52804a7000

page read and write

There are 40 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
mipsel.elf

Files

Processes

URLs

Domains

IPs

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportmipsel.elf

Files

Processes

URLs

Domains

IPs

Memdumps

IOC Report
mipsel.elf